Grafana up to 10.3.4 Delete Request /api/snapshots/ authorization

Summaryinfo

A vulnerability was found in Grafana up to 9.5.17/10.0.12/10.1.8/10.2.5/10.3.4 and classified as problematic. This vulnerability affects unknown code of the file /api/snapshots/ of the component Delete Request Handler. Executing a manipulation can lead to authorization. This vulnerability is tracked as CVE-2024-1313. The attack can be launched remotely. No exploit exists. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability has been found in Grafana up to 9.5.17/10.0.12/10.1.8/10.2.5/10.3.4 and classified as problematic. This vulnerability affects an unknown code of the file /api/snapshots/ of the component Delete Request Handler. The manipulation with an unknown input leads to a authorization vulnerability. The CWE definition for the vulnerability is CWE-639. The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. As an impact it is known to affect integrity, and availability. CVE summarizes:

It is possible for a user in a different organization from the owner of a snapshot to bypass authorization and delete a snapshot by issuing a DELETE request to /api/snapshots/ using its view key. This functionality is intended to only be available to individuals with the permission to write/edit to the snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an unprivileged user in a different organization than the snapshot owner are treated as authorized. Grafana Labs would like to thank Ravid Mazon and Jay Chen of Palo Alto Research for discovering and disclosing this vulnerability. This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from 10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5.

The weakness was disclosed by Ravid Mazon. The advisory is shared for download at grafana.com. This vulnerability was named CVE-2024-1313 since 02/07/2024. The exploitation appears to be easy. The attack can be initiated remotely. There are known technical details, but no exploit is available.

The vulnerability scanner Nessus provides a plugin with the ID 276108 (TencentOS Server 4: grafana (TSSA-2024:0907)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 9.5.18, 10.0.13, 10.1.9, 10.2.6, 10.3.5 or 10.4.0 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (276108). Once again VulDB remains the best source for vulnerability data.

Productinfo

Name

• Grafana

Version

• 9.5.0
• 9.5.1
• 9.5.2
• 9.5.3
• 9.5.4
• 9.5.5
• 9.5.6
• 9.5.7
• 9.5.8
• 9.5.9
• 9.5.10
• 9.5.11
• 9.5.12
• 9.5.13
• 9.5.14
• 9.5.15
• 9.5.16
• 9.5.17
• 10.0.0
• 10.0.1
• 10.0.2
• 10.0.3
• 10.0.4
• 10.0.5
• 10.0.6
• 10.0.7
• 10.0.8
• 10.0.9
• 10.0.10
• 10.0.11
• 10.0.12
• 10.1.0
• 10.1.1
• 10.1.2
• 10.1.3
• 10.1.4
• 10.1.5
• 10.1.6
• 10.1.7
• 10.1.8
• 10.2.0
• 10.2.1
• 10.2.2
• 10.2.3
• 10.2.4
• 10.2.5
• 10.3.0
• 10.3.1
• 10.3.2
• 10.3.3
• 10.3.4

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion